Security Breach at Orange County Company Leaks Millions of Title Insurance Records
The website for Fortune 500 real estate title insurance giant, First American Financial Corporation, leaked hundreds of millions of documents and records relating to mortgage deals going back more than 15 years. According to an article on KrebsOnSecurity.com the digitized records, including bank account numbers and statements, Social Security numbers, driver’s license images, mortgage and tax records and wire transaction receipts, were available to pretty much anyone with a Web browser.
Open Access to Sensitive Information
Santa Ana-based First American is the leading provider of title insurance and settlement services, employing about 18,000 people and bringing in more than $5.7 billion in 2018. KrebsOnSecurity was reportedly contacted by a real estate developer in Washington State who said he had no luck getting the attention of the company even after he told them their website was leaking tens if not hundreds of millions of record.
Anyone who knew the URL for a valid document at the website could essentially view them just by modifying one digit in the link. This would potentially include anyone who has ever received a document link via email from the company. KrebsOnSecurity has confirmed that First American’s website exposed about 885 million files without requiring any type of authentication for access. Most exposed files are wire transactions with bank account numbers and other information from home or property buyers and sellers. As a title insurance agency, the company gathers all types of documents from both buyers and sellers, who provide this information with the expectation that it will be private and secure.
First American says the document leak happened because of a “design defect in an application.” A spokesperson told KrebsOnSecurity that the company has taken immediate action to shut down access to the application and are in the process of evaluating what impact this may have had on customer information.
If You Have Been Affected
There is no question that this is the kind of data breach that phishers, scammers and fraudsters would have a field day with. KrebsOnSecurity says Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms to trick property owners into wiring funds to scammers. These types of scams are the most costly form of cybercrime today.
If you have been a victim of scams stemming from a data breach such as this one, please take every possible step to secure your information by monitoring your bank accounts and credit cards, changing passwords on your key accounts and sign up for a credit or identity monitoring service that will help monitor your financial accounts and sensitive personal information. You may also be able to seek compensation for your losses by filing a class-action lawsuit against the company, which had a legal obligation to protect your personal information. An experienced Orange County class action lawyer can help you evaluate your legal rights and options.